MGM Resorts reveals that last month’s cyberattack cost the company $100 million and allowed hackers to steal customers’ personal information.
The hospitality and entertainment giant disclosed a cybersecurity issue on September 11, 2023, affecting its main website, online reservation systems, and casino services such as slot machines, credit card terminals and ATMs.
A few days later, the threat actor responsible for the outage was revealed to be an affiliate of the BlackCat/ALPHV ransomware gang known as Scattered Spider.
These hackers breached MGM’s network through social engineering, stole sensitive data, and encrypted over a hundred ESXi hypervisors.
The impact of the IT system outage, which continued for an extended period, was substantial as the cyberattack disrupted a wide range of its business operations.
“(MGM) estimates a negative impact from the cybersecurity issue in September of approximately $100 million on adjusted property EBITDAR for Las Vegas Strip Resorts and regional operations, taken together,” reads a FORM 8-K with the filing. before the SEC.
“While the Company experienced impacts to occupancy due to the availability of reservations through the Company’s website and mobile applications, it was primarily limited to the month of September, which was 88%.”
In addition to losing $100 million in profits, MGM also suffered less than $10 million in one-time expenses for hazard remediation, legal fees, third-party counsel and incident response measures. MGM says it expects to be fully covered by its cybersecurity insurance.
Overall, MGM states that the financial impact will be predominantly limited to the third quarter of 2023 and does not anticipate any significant effect on its annual financial performance.
MGM Resorts believes that the incident has been contained and that all of its guest-facing systems have now been fully restored, with the remaining systems in an offline state expected to resume normal operations in the coming days.
Customer data theft
MGM also warns that threat actors managed to steal the personal information of customers who transacted with MGM before March 2019.
A separate notice was sent to affected individuals yesterday, informing them that the following details have been exposed to cybercriminals, which vary by individual:
- Full name
- Phone number
- Email address
- postal address
- Driver’s license
- Social Security Number (SSN)
- Passport number
MGM concludes that its investigation has uncovered no signs that the incident exposed customers’ passwords, bank account numbers and payment card information.
The company offers free credit monitoring and identity protection services to those affected by the data breach and warns customers to remain vigilant about unsolicited communications.
“We recommend that you remain alert for incidents of fraud and identity theft by reviewing account statements and monitoring your free credit reports,” warns MGM Resorts.
“We also recommend that you remain alert to unsolicited communications involving your personal information.”